[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Le mardi 25 avril 2017 à 10:04 +0200, Robert Moskowitz a écrit :
> I thought I had this fixed, but I do not.  I was away from this problem 
> working on other matters, and came back (after a reboot) and it is still 
> there, so I suspect when I thought I had it 'fixed' I was running with 
> setenforce 0 from another problem (that is fixed).
> 
> So anyone know how to get dovecot dict connecting to mysql when 
> enforcing?  Googling is not finding any real help.

Hi,

I’ve got some « tweaking » here (using postgresql, obviously) so that
dovecot runs properly with SELinux enabled,

HTH,
Laurent.

module mydovecot 1.0;

require {
        type dovecot_auth_t;
        type postgresql_port_t;
        type dovecot_t;
        type var_t;
        type postfix_virtual_tmp_t;
        class tcp_socket name_connect;
        class file { rename read lock create write getattr link unlink
open append };
        class dir { read write create add_name remove_name };
}

#============= dovecot_auth_t ==============

#!!!! This avc is allowed in the current policy
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;

#============= dovecot_t ==============

#!!!! This avc is allowed in the current policy
allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open
link };
allow dovecot_t var_t:dir create;

#!!!! This avc is allowed in the current policy
allow dovecot_t var_t:dir { read write add_name remove_name };

#!!!! This avc is allowed in the current policy
allow dovecot_t var_t:file { rename read lock create write getattr link
unlink open append };

-- 
Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>